Re: Sql injection attacks
| От | Peter Eisentraut |
|---|---|
| Тема | Re: Sql injection attacks |
| Дата | |
| Msg-id | 200407260107.55560.peter_e@gmx.net обсуждение исходный текст |
| Ответ на | Sql injection attacks (Geoff Caplan <geoff@variosoft.com>) |
| Список | pgsql-general |
Geoff Caplan wrote: > I'm new to Postgres and trying to get up to speed on the security > issues. There seems to be remarkably little Postgres specific stuff > on preventing SQL injection attacks. If you use prepared statements (the details of which vary by programming language), you should be quite safe. > Most of the online literature is on MS SQL Server. There, the > consensus seems to be that the range of potential attacks is so wide > that attempting to spot attack signatures in posted data is a doomed > enterprise, and that the safest general approach for any dynamically > built query is to execute it as a stored procedure. That won't necessarily help you on PostgreSQL, because in stored procedures you can paste together queries from user-provided strings. -- Peter Eisentraut http://developer.postgresql.org/~petere/
В списке pgsql-general по дате отправления: